Static Application Security Testing (SAST) is a technique that statically analyzes program source code to detect problems within the source code. That is, SAST performs such analysis without actually executing (running) the source code. In some examples, problems within the source code can compromise the security of a computer program. Such problems can be caused by unchecked (un-validated) data-flows from a sink, e.g., input from a user, to a source, e.g., access to a database.
A problem that a SAST tool has to solve is to detect whether a dataflow between a sink and a source contains a sanitizer. In some examples, sanitizers include functions that validate the data from the source. Some SAST tools use a pre-defined list of sanitizers, which has several limitations. For example, a pre-defined list could be incomplete, such that it does not contain a particular function that is provided in the source code and that correctly sanitizes input. This results in false positives, where false warnings are indicated and need to be manually analyzed, which is labor-intensive and, thus, costly. As another example, a pre-defined list only includes static information about the sanitizers that can be coarse-grained. This can result in incorrect detection of sanitizers. This results in false negatives, where actual vulnerabilities that are not reported.